Nixpkgs security tracker

Login with GitHub

Suggestions search

Untriaged
Filter by:
With package: perl5Packages.AstroFITSHeader

Found 1 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-45028
2.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 1 week, 4 days ago Activity log
  • Created suggestion 1 week, 4 days ago
Astro: Server island encrypted parameters vulnerable to cross-component replay

Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10.

Affected products

astro
  • ==< 6.1.10

Matching in nixpkgs

pkgs.astroid

GTK frontend to the notmuch mail system

  • nixos-unstable 0.17
    • nixpkgs-unstable 0.17
    • nixos-unstable-small 0.17
  • nixos-25.11 0.17
    • nixos-25.11-small 0.17
    • nixpkgs-25.11-darwin 0.17

pkgs.astrolog

Freeware astrology program

  • nixos-unstable 7.70
    • nixpkgs-unstable 7.70
    • nixos-unstable-small 7.70
  • nixos-25.11 7.70
    • nixos-25.11-small 7.70
    • nixpkgs-25.11-darwin 7.70

pkgs.gnuastro

GNU astronomy utilities and library

  • nixos-unstable 0.24
    • nixpkgs-unstable 0.24
    • nixos-unstable-small 0.24
  • nixos-25.11 0.23
    • nixos-25.11-small 0.23
    • nixpkgs-25.11-darwin 0.23

pkgs.astronomer

Tool to detect illegitimate stars from bot accounts on GitHub projects

pkgs.astromenace

Hardcore 3D space shooter with spaceship upgrade possibilities

pkgs.astrolabe-generator

Java-based tool for generating EPS files for constructing astrolabes and related tools

  • nixos-unstable 3.3
    • nixpkgs-unstable 3.3
    • nixos-unstable-small 3.3
  • nixos-25.11 3.3
    • nixos-25.11-small 3.3
    • nixpkgs-25.11-darwin 3.3

Package maintainers